{
	"ociVersion": "1.0.0[% IF !c("var_p/runc_spec100") %]-rc1[% END %]",
	"platform": {
		"os": "linux",
		"arch": "amd64"
	},
	"process": {
		"terminal": [% IF c("interactive") %]true[% ELSE %]false[% END %],
		"user": {
			"uid": 0,
			"gid": 0
		},
		"args": [
			"/rbm/run"
		],
		"env": [
			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
			"TERM=xterm"
		],
		"cwd": "/",
[% IF c("var_p/runc_spec100") -%]
		"capabilities": {
			"bounding": [
				"CAP_AUDIT_WRITE",
				"CAP_KILL",
				"CAP_NET_BIND_SERVICE",
				"CAP_SETGID",
				"CAP_SETUID",
				"CAP_MKNOD",
				"CAP_SYS_CHROOT",
[% IF c("var/container/CAP_SYS_ADMIN") -%]
				"CAP_SYS_ADMIN",
[% END -%]
				"CAP_FSETID",
				"CAP_FOWNER",
				"CAP_DAC_OVERRIDE",
				"CAP_CHOWN"
			],
			"effective": [
				"CAP_AUDIT_WRITE",
				"CAP_KILL",
				"CAP_NET_BIND_SERVICE",
				"CAP_SETGID",
				"CAP_SETUID",
				"CAP_MKNOD",
				"CAP_SYS_CHROOT",
[% IF c("var/container/CAP_SYS_ADMIN") -%]
				"CAP_SYS_ADMIN",
[% END -%]
				"CAP_FSETID",
				"CAP_FOWNER",
				"CAP_DAC_OVERRIDE",
				"CAP_CHOWN"
			],
			"inheritable": [
				"CAP_AUDIT_WRITE",
				"CAP_KILL",
				"CAP_NET_BIND_SERVICE",
				"CAP_SETGID",
				"CAP_SETUID",
				"CAP_MKNOD",
				"CAP_SYS_CHROOT",
[% IF c("var/container/CAP_SYS_ADMIN") -%]
				"CAP_SYS_ADMIN",
[% END -%]
				"CAP_FSETID",
				"CAP_FOWNER",
				"CAP_DAC_OVERRIDE",
				"CAP_CHOWN"
			],
			"permitted": [
				"CAP_AUDIT_WRITE",
				"CAP_KILL",
				"CAP_NET_BIND_SERVICE",
				"CAP_SETGID",
				"CAP_SETUID",
				"CAP_MKNOD",
				"CAP_SYS_CHROOT",
[% IF c("var/container/CAP_SYS_ADMIN") -%]
				"CAP_SYS_ADMIN",
[% END -%]
				"CAP_FSETID",
				"CAP_FOWNER",
				"CAP_DAC_OVERRIDE",
				"CAP_CHOWN"
			],
			"ambient": [
				"CAP_AUDIT_WRITE",
				"CAP_KILL",
				"CAP_NET_BIND_SERVICE",
				"CAP_SETGID",
				"CAP_SETUID",
				"CAP_MKNOD",
				"CAP_SYS_CHROOT",
[% IF c("var/container/CAP_SYS_ADMIN") -%]
				"CAP_SYS_ADMIN",
[% END -%]
				"CAP_FSETID",
				"CAP_FOWNER",
				"CAP_DAC_OVERRIDE",
				"CAP_CHOWN"
			]
		},
[% ELSE -%]
		"capabilities": [
			"CAP_AUDIT_WRITE",
			"CAP_KILL",
			"CAP_NET_BIND_SERVICE",
			"CAP_SETGID",
			"CAP_SETUID",
			"CAP_MKNOD",
			"CAP_SYS_CHROOT",
[% IF c("var/container/CAP_SYS_ADMIN") -%]
			"CAP_SYS_ADMIN",
[% END -%]
			"CAP_FSETID",
			"CAP_FOWNER",
			"CAP_DAC_OVERRIDE",
			"CAP_CHOWN"
		],
[% END -%]
		"rlimits": [
			{
				"type": "RLIMIT_NOFILE",
				"hard": 1024,
				"soft": 1024
			}
		],
		"noNewPrivileges": true
	},
	"root": {
		"path": "rootfs",
		"readonly": false
	},
	"hostname": "runc",
	"mounts": [
		{
			"destination": "/proc",
			"type": "proc",
			"source": "proc"
		},
		{
			"type": "bind",
			"source": "/etc/resolv.conf",
			"destination": "/etc/resolv.conf",
			"options": [
				"rbind",
				"ro"
			]
		},
		{
			"destination": "/dev",
			"type": "tmpfs",
			"source": "tmpfs",
			"options": [
				"nosuid",
				"strictatime",
				"mode=755",
				"size=65536k"
			]
		},
		{
			"destination": "/dev/pts",
			"type": "devpts",
			"source": "devpts",
			"options": [
				"nosuid",
				"noexec",
				"newinstance",
				"ptmxmode=0666",
				"mode=0620",
				"gid=5"
			]
		},
		{
			"destination": "/dev/shm",
			"type": "tmpfs",
			"source": "shm",
			"options": [
				"nosuid",
				"noexec",
				"nodev",
				"mode=1777",
				"size=65536k"
			]
		},
		{
			"destination": "/dev/mqueue",
			"type": "mqueue",
			"source": "mqueue",
			"options": [
				"nosuid",
				"noexec",
				"nodev"
			]
		},
		{
			"destination": "/sys",
			"type": "sysfs",
			"source": "sysfs",
			"options": [
				"nosuid",
				"noexec",
				"nodev",
				"ro"
			]
		},
		{
			"destination": "/sys/fs/cgroup",
			"type": "cgroup",
			"source": "cgroup",
			"options": [
				"nosuid",
				"noexec",
				"nodev",
				"relatime",
				"ro"
			]
		}
	],
	"hooks": {},
	"linux": {
		"resources": {
			"devices": [
				{
					"allow": false,
					"access": "rwm"
				}
			]
		},
		"namespaces": [
			{
				"type": "pid"
			},
			{
				"type": "ipc"
			},
			{
				"type": "uts"
			},
[% IF c("var/container/disable_network/" _ c("exec_name")) -%]
			{
				"type": "network",
				"path": "/var/run/netns/rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]"
			},
[% END -%]
			{
				"type": "mount"
			}
		],
		"maskedPaths": [
			"/proc/kcore",
			"/proc/latency_stats",
			"/proc/timer_stats",
[% IF c("var_p/runc_spec100") -%]
			"/proc/timer_list",
			"/sys/firmware",
[% END -%]
			"/proc/sched_debug"
		],
		"readonlyPaths": [
			"/proc/asound",
			"/proc/bus",
			"/proc/fs",
			"/proc/irq",
			"/proc/sys",
			"/proc/sysrq-trigger"
		]
	},
	"solaris": {
		"cappedCPU": {},
		"cappedMemory": {}
	}
}
